How scammers get free stuff from Amazon, no questions asked

As online holiday shopping reaches its frenzied peak, Amazon.com customers are raising concerns over a new type of identity theft scam that could be harming the company just as much its customers’ reputations.

In a lengthy but informative blog post at HTMList.com, Chris Cardinal relates his recent experience dealing with the online retail giant after some unknown person manipulated gaps in Amazon’s online customer support system to try and reorder items Cardinal had already purchased on his account.

After canceling several attempted replacement shipments to an address in Oregon, Cardinal was able to obtain transcripts of several conversations he’d supposedly had with Amazon customer service representatives. But these conversations were in fact the actions of a scam artist posing as Cardinal to take advantage of Amazon’s user-friendly customer service system.

“I love that (Amazon’s) policy is whatever makes the customer happy,” Cardinal told The Daily Dot. “Nearly-no-questions-asked replacement orders are fantastic when there's a legitimate problem, and it's something they have to know is abused but they're chalking up to the cost of doing business. But the scammer isn't the customer, and if I need to make a legitimate claim that an order wasn’t received, I run a significant risk of getting blowback from Amazon because of history on my account.”

Chat transcripts provided by Cardinal show the scammer was able to reorder merchandise by providing a few pieces of easily obtained data, like product numbers, Cardinal’s name and his address. Although Amazon’s automated transactions require secure passwords, Cardinal said it’s easy for scammers to bluff their way past real people on customer service chats, because Amazon customer service reps don’t ask for any secure information, such as passwords or payment information.

If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.

Other weaknesses in the delivery system can also play into scammers’ hands. In his case, Cardinal said a hand-off from FedEx to the U.S. Postal Service for final delivery could have made it hard for Amazon to confirm package delivery. And even though the scammer was asking that the replacement items be sent to a completely different address, they could easily be explained away with an excuse about being out of town for an extended period of time.

But in examining this mysterious address, Cardinal found it belonged to a mail-forwarding company in Portland, which means the products are surely being sent out of the country. His search of the company, Reship.com, uncovered a number of other complaints from Amazon customers similar to his.

As of the time of this posting, Cardinal says Amazon has not responded to his blog post. Nor have they responded to The Daily Dot’s request for comment. But Cardinal said the company has responded to his complaints as a customer and have deactivated his account to further investigate the matter. And he said his own attempt to bait a customer service rep into changing his account email address without secure information to test their response was rejected.

“The rep held fast: without the email address, she wasn't going to budge, even after I gave her my order number,” Cardinal said.

As it stands, the fraud committed in Cardinal’s name hurts Amazon the most, since they are the ones sending out free merchandise. But Cardinal worries that his own reputation with the company will be hurt if he actually does need to ask for a legitimate replacement shipment in the future. And citing how another Amazon leak was implicated in the substantial Mat Honan iCloud hack documented in Wired several months ago, Cardinal is concerned about the spectre of more devastating information leaks.

“It’s clear that there’s a scam going on and it’s probably going largely unnoticed,” Cardinal writes. “It doesn’t cost the end user anything, except perhaps suspicion if they ever have a legitimate fraud complaint. But it’s also highlighting that Amazon is entirely too lax with their customer support team.”